Hi,
I’m using service standard before provisioning rule to remove specific groups furing operation disable. I see option to exclude the groups which I dont want to remove. Want to see if anyone tried include option to only remove the groups in the inclusion list
Hi @chandramohan27 ,
I see the same question is being repeated please
Don’t duplicate the question
No, I dont think its duplicate.
I know we can have exclusion filter. All I want to check is if there is inclusion filter.
Different approach for you Chandra - have you considered Roles and assignment criteria
Set up a role with the groups that you want to be removed when the account is disabled. Set the assignment criteria to include that the account should be active (among whatever assignment criteria is needed). Then, when the user moves from active –> disabled on the account, they will be removed from this role, and the access will be deprovisioned (as long as they haven’t inherited the access from somewhere else)
It sounds like the list of groups to be retained is longer than the list of groups to be removed. If this is a known list, and the concern is about adding a long list of groups to the value section in the standard before‑provisioning rule, you can store that known list in an identity or account attribute and reference it in the rule using #{identity.attribute} or #{account.attribute}. You can give this a try although from the documentation it seems only one group name is allowed, it’s not a list
If the list is not known or cannot be stored this way, then a custom before‑provisioning rule would be required or some kind of role assignment criteria.
@chandramohan27 Its difficult to skip specific group to remove after disable from services standard beforeProvisioning rule. But you can achieve this via writing a beforeprovisioning rule
if (groupName.startsWith("Domain") || groupName.contains("Domain") ){
grpToSkip = groupName;
}
//While iterating your entitlement/group attribute
if (!ent.equalsIgnoreCase(grpToSkip)){
accountRequest.add(new AttributeRequest("<entAttributeName>", ProvisioningPlan.Operation.Remove,ent));
}
@sagar_kamalakar @rpriya @margocbain
Thanks for your valuable suggestions. Since we are using access profiles for requesting. What I thought is to use Workflows to check with keywords and remove the specific entitlements through manage access.